Feeds

Will bloggers get the blame for DoH mess?

Criminal charges for who?

Reducing security risks from open source software

Opinion Health Secretary Patricia Hewitt said the mess made of online applications for doctors could lead to criminal charges. But did she mean the people responsible for such a shoddy system or did she mean the bloggers who brought the problems to light are likely to be charged?

A touch surprising to find the Secretary of State for Health, Patricia Hewitt, stating the truth in a written ministerial statement to the Commons on Tuesday:

"Because the investigation has made it clear that criminal offences may have been committed, the MWR analysis and report have been given to the police."

That "may" is a little mild, as it is quite clear that criminal offences have been committed during the wonderful little saga of the medical training application service (MTAS) and its computer system. Over and above the usual political porkies that is, such as this line from the statement:

"There had been two security breaches of the medical training application service (MTAS) that arose on 25 and 26 April."

There was no security breach that arose on 26 April. There was one that was revealed on that date, yes, but the breach went back to the beginnings of the system and was inherent in the design.

The breach itself was one that would ashame the most neophyte of script kiddies. There was no attempt to create a login session when someone entered the system, nor was there any checking of the IP of the machine being used to prevent session hijacking.

As David Gillies has pointed out: "There is NO WAY that this was anything other than gross incompetence. It is inconceivable that MTAS had a working login session mechanism that was then replaced by the brain-dead version it had when the security breaches came to light."

He then goes on to say that this is a level of stupidity likely actionable under the Data Protection Act. "Implementers of systems containing personal information have a statutory duty, I believe, to ensure only authorised persons have access to that data."

So there's our first criminal offence, among those who planned, built, and implemented this system.

Then there are those who brought the problem to light, such as the NHSBlogDoctor. Distressed at being informed of such a gaping loophole in the system he went to have a look for himself. This is a criminal offence - hacking a computer system. Unable to believe what he saw, he asked a few trusties to have a look themselves - another offence, incitement to hack a computer system.

Having committed these offences, what did the Good Doctor do then? He informed the Department of Health and the system was taken down within a few minutes, thus preventing said department from continuing in their own breach of the law.

Only the excessively cynical would believe that Ms Hewitt was referring only to the second set of breaches, rather than the first, or that the police will concentrate on the whistleblower(s) rather than the original problem.

The realists among us though, will note that there is still something of a problem. When alerted to a possible breach of the law by the authorities, it would seem that investigating such breach is in itself a criminal offence. That's certainly the way to bring about some accountability to the system don't you think? A way of preventing the more obvious lunacies, of improving the system?

But, of course, this is paranoia. No one is going to interpret the law that way, are they? In a world where adding ../../../ to a URL is worth £400 plus costs and the loss of your job and career. No, of course not, it's just paranoia. ®

Tim Worstall is a freelance and blogs at www.timworstall.com.

Maximizing your infrastructure through virtualization

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Major problems beset UK ISP filth filters: But it's OK, nobody uses them
It's almost as though pr0n was actually rather popular
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.